• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

how do you setup users with restricted access

Scheduled Pinned Locked Moved General pfSense Questions
35 Posts 4 Posters 5.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    comet424
    last edited by Aug 28, 2020, 1:02 AM

    hi i trying to figure out how to add a user with restricted access to the network

    what i have already is my admin account with a openvpn server so i can access my network from remote location..

    now id like to setup for my son when hes not home but to have limited access to some VMs i setup on Unraid..
    i created a user and a Group but i tried looking under Fire wall rules like Group or so so when he logs in he would only get access to a certain set of IPS like say under Alias's and setup Alisas of 10 ip Address's and he would only be able to access those.. so rest of the network isnt compromised if he had someone else log in using openvpn client

    is this possible if there is a link or a video i could watch be great too

    J 1 Reply Last reply Aug 28, 2020, 1:12 AM Reply Quote 0
    • J
      JKnott @comet424
      last edited by Aug 28, 2020, 1:12 AM

      @comet424

      I hope you understand that you should do as little as possible on a firewall. Everything else you do beyond that brings potential vulnerabilities.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • C
        comet424
        last edited by Aug 28, 2020, 1:22 AM

        ah ok so whats the best route then.. to let him log into network to access VM's to work on... i tried Teamviewer app but it didnt always work

        so i figured with pfsnese make a user then restrict access to a couple IP address's and connect with the OpenVPN...

        but isnt that what the users section is for to add users to be able to access the network? for business? as i wanted basiclly he get a login and he only gets access to 5 ip address's on the network rest is blocked..

        its just idea to give access to 5 vms so i dont know how to do that or even if possible with pfsenseor if thats like a windows server account access thing.. jsut ideas i looking into

        1 Reply Last reply Reply Quote 0
        • C
          comet424
          last edited by comet424 Aug 28, 2020, 1:39 AM Aug 28, 2020, 1:37 AM

          i did read under the user for privleges but they confused me

          what i wanted was
          user1 ---> access the network of 192.168.0.x (but only have access to 192.168.0.10-192.168.0.15) as the example the rest be blocked

          i was thinking like a different network 192.168.50.x but i dont have vlans and i dont think i can with my network switch or if i can as my unraid is 192.168.0.x and id have to set the ip address to like 192.168.50.x and not sure if that would work

          1 Reply Last reply Reply Quote 0
          • G
            Gertjan
            last edited by Aug 28, 2020, 6:14 AM

            Like this :

            I have a default LAN network 192.168.1.0/24.
            I have 2 access points using 192.168.1.3 and 192.168.1.14.

            I created an alias like :

            95bdcf01-a1cd-4e7e-b23b-3d6e20c9f7b0-image.png

            These are my firewall rules :

            d91c5a5b-bab6-4b03-9778-1aa03119743b-image.png

            Note : this is just an example - I do have an issue because my pfSense OpenVPN remote access works with IPv4 and IPv6, so I could access my devices using IPv6.

            I tested : in the 192.168.1.0/24 network I could only access my 2 AP's on .3 and .14 - and no other devices in that network.
            I could use the other networks, like the entire Internet.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • C
              comet424
              last edited by Aug 28, 2020, 12:43 PM

              @Gertjan
              you say you have an issue with the ipv6 is that good or bad?
              so your openvpn firewall rules
              the first like Pass Local IPs what does mean it allows the 2 IPs right?
              the 2nd line blocks the rest of the IP address's except the the 2 in 10_15
              and then what doe it do for the 3rd line OpenVPN All

              i not pro at this.. i just usually set it up and forget it so i dont tweak it every day lol
              but ill give that a try

              G 1 Reply Last reply Aug 28, 2020, 12:57 PM Reply Quote 0
              • G
                Gertjan @comet424
                last edited by Aug 28, 2020, 12:57 PM

                @comet424 said in how do you setup users with restricted access:

                you say you have an issue with the ipv6 is that good or bad?

                My rules - alias based pass rule and block rule wirk with IPv4.
                I could address these device and other devices using their IPv6, and them my two demo rules wouldn't have any effect.

                I shwoed you

                @comet424 said in how do you setup users with restricted access:

                the first like Pass Local IPs what does mean it allows the 2 IPs right?

                Yep, the alias "10_15" is shown.

                @comet424 said in how do you setup users with restricted access:

                the 2nd line blocks the rest of the IP address's except the the 2 in 10_1

                The second rules blocks the entire network 192.168.1.0/24 with no exception.
                This include my AP1 192.168.1.3 and AP2 192.168.1.14
                If I was talking to 192.168.1.3, the second rule would never be reached, as the first rules applies.

                @comet424 said in how do you setup users with restricted access:

                and then what doe it do for the 3rd line OpenVPN All

                If the traffic was for another network, like a some local 192.168.2.0/24 IP, the traffic would pass.
                If I wanted to connect to www.netgate.com, the traffic would pass.
                The third rule, if reached, says : pass all.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • C
                  comet424
                  last edited by Aug 28, 2020, 1:43 PM

                  ok i think i understand
                  i just set it up like yours basiclly and i added to my lan rules as i had no internet to setup ubuntu

                  but ok
                  so If you didn have 10_1 then the 2nd rule blocks all access including 2 ips

                  so first one allows access to the 2 ips
                  the 2nd line blocks everything including the 2 ips but because You allowed 2 ip address in the first line it allows access to the 2 ips but blocks the rest

                  so the 3rd rule allows access to any subnets like 192.168.10.x 192.168.20.x www.netgate.com etc

                  if so how would you would set it not to access 10.x 20.x if i had that setup
                  would that be in the block and state block 192.168.20.0/24 like the 192.168.1.0/24 in your setup

                  i think i got it confugred and ill have to go try it from a home depot as i dont have internet on my phone other then my home network or if i hit a home depot lol..
                  so will see if she works well...
                  i appreciate the help so far i very appreciated

                  A 1 Reply Last reply Aug 28, 2020, 1:52 PM Reply Quote 0
                  • C
                    comet424
                    last edited by comet424 Aug 28, 2020, 1:52 PM Aug 28, 2020, 1:47 PM

                    here is the rules i set landon.PNG

                    update..
                    here is i added blocks for the 10.x 20.x as i havent set them up yet dont have guests or cameras yet.. just future for over winterlandon.PNG

                    1 Reply Last reply Reply Quote 0
                    • A
                      akuma1x @comet424
                      last edited by Aug 28, 2020, 1:52 PM

                      @comet424 The firewall rules in pfsense work from the top to the bottom on an interface, the first rule to match wins, no other rules are evaluated.

                      To setup your block rule for 10.x.20.x, you would simply create a new rule with that as the destination, and either an alias with your source IP addresses, or a specific IP address on that same subnet, or some other network on your pfsense box.

                      The rule @Gertjan used above blocks all other devices except the 0.10 - 0.15 hosts. Then, after you create this rule, drag it to an appropriate spot in your firewall list and do some testing.

                      Jeff

                      1 Reply Last reply Reply Quote 0
                      • G
                        Gertjan
                        last edited by Gertjan Aug 28, 2020, 1:58 PM Aug 28, 2020, 1:55 PM

                        I initially thought I understoof your question :

                        You want your son, when he is connecting from 'some where', using the pfSense OpenVPN, having access to some devices on the LAN - and not to others.
                        Right?

                        H'll be using the pfSense OpenVPN server, so the rules I showed should be placed on the OpenVPN interface firewall rule tab.
                        Because OpenVPN server traffic comes in by this interface.
                        Not the LAN interface : he isn't connected to the LAN interface.

                        You put all the IP addresses he is allowed to connect to into an alias
                        Use this alias in a Pass rule.
                        Then create a second block rule, that forbids all access to the network (the IP addresses uses in the alias are part of this network).
                        Put in place a third - pass all rule if you allow that he can visit the Inter through the OpenVPN remote access.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • C
                          comet424
                          last edited by Aug 28, 2020, 1:56 PM

                          @akuma1x
                          ok is this correct then landon.PNG
                          this is my LAN rules i think i have it set properly then

                          lan.PNG

                          1 Reply Last reply Reply Quote 0
                          • C
                            comet424
                            last edited by Aug 28, 2020, 1:58 PM

                            @Gertjan ok ill have to re read

                            what i did was setup 2 OPENVPNs

                            i already have 1 for myself to give full access
                            and the 2nd open i made for him and thats LandonsVMS thats linked to the 2nd openvpn thas what i thought you had setup in your example.. so i made 2 openvpn servers

                            as there was no option in pfsense to allow a user to use the OpenVPN and under restrictions of user to access certain IPS

                            1 Reply Last reply Reply Quote 0
                            • C
                              comet424
                              last edited by comet424 Aug 28, 2020, 2:06 PM Aug 28, 2020, 2:05 PM

                              ok i renamed my interface so doesnt confuseland2.PNG

                              what i really wanted was
                              1 OpenVPN server running
                              user (me) has full admin access when loggin in
                              user (landon) has only access to the VMS (for now)

                              but under users you can create Groups but i tried asking and i tried looking through the settings

                              to say User Group (LandonsVMS) has access to this range
                              but when you look under the access they can have its just the pfense pages access control.. not like restricted access

                              so now i made 2 Open VPNS 1 for my to log in full access and other for his access
                              if i knew how to make 1 server and then 2 user accounts 1 that has full access and 2nd has just access to the VM Ips

                              and sorry my dislexia confuses people too i dont explain things right.. yet sounds right to me

                              G 1 Reply Last reply Aug 28, 2020, 3:07 PM Reply Quote 0
                              • G
                                Gertjan @comet424
                                last edited by Aug 28, 2020, 3:07 PM

                                @comet424 said in how do you setup users with restricted access:

                                to say User Group (LandonsVMS) has access to this range
                                but when you look under the access they can have its just the pfense pages access control.. not like restricted access

                                The pfSense user access :

                                e262a53f-987d-46c4-aed8-a36855c07958-image.png

                                determines what users - can access the web GUI of pfSense, and what parts.
                                It doesn't handle network access.

                                Your choice to have two OpenVPN servers with dedicated firewall rules seems a good solution to me.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                1 Reply Last reply Reply Quote 0
                                • C
                                  comet424
                                  last edited by Aug 28, 2020, 3:31 PM

                                  @Gertjan ah ok to groups is just editing the pfsense.. figured you only want an admin to edit it

                                  so that also means users can log in to either openvpn then with there login pass

                                  i come across another issue with the openvpn to make that 2nd openvpn i did the wizard where you create a new cert new ca i did the 192.168.0.0/24 etc i chose the assignment and gave that openvpnvm link... but when i goto to Export the clients are not shown.. its there for the main one i have for full access

                                  so i get "If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled."

                                  now today first time running 2 openvpn servers and its been a year since i even touched my openvpn server since i set it and forget it.. and dont work with this everyday..

                                  i did the wizard but what could gone wrong.. where would i look what screen shots would you need

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    comet424
                                    last edited by Aug 28, 2020, 3:45 PM

                                    gonna try... delete cas certs openvpn server firewall settings it creates and do a reboot so its clean to see if it fixe's it

                                    when in doubt do a reboot lol

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      comet424
                                      last edited by comet424 Aug 28, 2020, 4:32 PM Aug 28, 2020, 3:58 PM

                                      well that didnt work
                                      deleted all saved rebooted.
                                      then ran wizard still says that issue on export

                                      update..
                                      figured it out had to choose user and the bottom the certs linked and had to link exisit cert... now i can test it at home depot lol

                                      hopefully it all works (:

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        comet424
                                        last edited by comet424 Aug 28, 2020, 5:30 PM Aug 28, 2020, 5:29 PM

                                        @
                                        @Gertjan
                                        ok so i cant seem to connect,,, i was able to connect to my orginal openvpn

                                        the 2nd one with my other account its stuck on connecting.. i was able to download the opvn file but when connecting its jus stuck connecting... is there something to check.. i checked that it was basiclly exactly same as the admin one i have setup and i did run the wizard.. but its stuck at connecting.... even if i make up a user using the client software it stays connecting.. if i make up a user on my orginal open vpn it tells me invalid

                                        so its not getting to authenticating or what not

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          comet424
                                          last edited by Aug 29, 2020, 2:17 AM

                                          @Gertjan
                                          so i got it to log in using the landon account i had to delete the user and re add it then create cert button instead of add cert and then add exisiting cert..

                                          but there is issue.. i was getting full access to the network.. so when i got home.. LandonsVM Open VPN didnt get really access.. but it went to the OPENVPN Firewall rules.. it didnt go to the correct firewall rule.. where do i look

                                          also everytime i delete the openvpn server, certs,ca, and do the wizard again.. it always saves the rule under OPENVPN not the LandonsVMOpenVPN..
                                          but interface is set for it so its going to the wrong firewall rule
                                          what do i look for that its going to the wrong rules?

                                          interfaces
                                          rule3.PNG

                                          rules
                                          rule2.PNG rule1.PNG

                                          1 Reply Last reply Reply Quote 0
                                          20 out of 35
                                          • First post
                                            20/35
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received